Answered by:

Question

As ideally, surely it is best to use individual accounts over shared generic accounts whenever possible for authentication. The environment
I have inherited contains instrumentation, manufacturing, scales, and research equipment controlled by specialized software used by multiple users to export test results for specific quality control components.

If a shared account had to be used for operational purposes and the machine is attached to an Active Directory Domain for patching.
Which would be the preferable option to using a shared local account
or shared domain account for authentication?
Which would be the lesser of two evils? What are some of the pros and cons of each outside of individual accounts are the way to go in an enterprise environment?

Extra note, if a shared domain account is preferable, I am going to lock the machines down with group policies, app locker, domain account only
can log in to the restricted PCs during business hours.

Answers

Ok so you will need to use shared domain account even if you already know that it is bad :(

The main advantage of using local shared account is that if for any reason this account is compromised it will only be local to the computer.

The cons of using local shared account is that it will be difficult to access network resources.

Regarding your extra note it's a step you should take in order for you to secure the access. Also make sure that regarding network access the shared domain user and the group to which it belong don't give right any extra right on the domain and
particularly the domain controller

All replies

Both, for example, one computer maybe hooked to an industrial floor scale and camera. This end-user device will measure the weight and dimensions of a crate on an assembly line but need to print labels and log the data to a corporate server.

The second example could be that rotating workers have a computer attached to a microscope to run sample products through to log quality control defects for data analysis. But need access to backup the local data, print, adhere to company
endpoint policies, etc...

They will sometimes need to access archival data records from an onsite data store. This involves several hundred end-user devices as well.

Ok so you will need to use shared domain account even if you already know that it is bad :(

The main advantage of using local shared account is that if for any reason this account is compromised it will only be local to the computer.

The cons of using local shared account is that it will be difficult to access network resources.

Regarding your extra note it's a step you should take in order for you to secure the access. Also make sure that regarding network access the shared domain user and the group to which it belong don't give right any extra right on the domain and
particularly the domain controller